New Risk Management and Internal Audit Framework for Local Councils in NSW

This framework outlines the importance of audit, risk, and improvement committees (ARIC), internal audit (IA), and risk management (RM) in local councils in NSW under the Local Government Act 1993. It defines key terms, such as Audit Committee, Internal Audit, Risk Management, and the three lines of defense model. The implementation of these practices in both the private and public sectors, including requirements for ASX-listed companies and government departments/agencies, is also discussed.

• Risk Management
• Internal Audit
• Local Councils
• NSW
• Governance

rico Follow

Uploaded on Jul 22, 2024 | 2 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. New risk management and New risk management and internal audit framework internal audit framework for local councils in NSW for local councils in NSW Note: ARIC ARIC = audit, risk and improvement committee = audit, risk and improvement committee IA IA = internal audit = internal audit RM = risk management = risk management Local Government Act 1993 RM LG Act LG Act = = Local Government Act 1993

2. Background Background

3. Definitions Definitions Audit Committee Audit Committee A committee of independent independent experts that advises the board/governing body of an organisation how it is performing and can improve whether it is fulfilling all its corporate and legal responsibilities Uses RM and IA to make judgements and give advice A globally accepted mechanism that provides an organisation independent independent advice on whether: it has good governance (i.e. is run well) is performing successfully is managing its risks effectively The coordinated activities taken by an organisation itself organisation itself to: ensure it knows the risks it faces manage the impact of these risks on the organisation s ability to be successful and achieve its objectives Internal audit Internal audit Risk management Risk management by an

4. Worldwide three lines of defence model Worldwide three lines of defence model TARGET - Council s strategic goals, operations, service delivery, outcomes 3 3rd rd line of line of defence experts that provide independent external advice to council reported to governing body & GM e.g. independent independent ARIC, IA function ARIC, IA function defence: : 3rd line of defence 2 2nd management actions to ensure risks are properly managed reported to GM e.g. coordinated RM framework coordinated RM framework nd line of line of defence defence: : 2nd line of defence 1 1st everyday actions by staff to identify and manage risk reported to staff & managers e.g. council policies, procedures, rules, the e.g. council policies, procedures, rules, the way things are done way things are done st line of line of defence defence: : 1st line of defence RISKS

5. Cross Cross- -sector implementation sector implementation Private sector Private sector All entities listed on ASX must have ARIC and report if they do not All companies must disclose to potential investors if they have an ARIC or IA most investors won t invest if they don t All financial and superannuation institutions required to have ARIC and IA Public sector Public sector All Commonwealth Govt depts/agencies must have ARIC and RM. IA strongly encouraged All NSW Govt depts/agencies must have ARICs, RM and IA QLD, TAS, WA, VIC and NT Govt depts/agencies must have ARICs, RM and IA. Highly recommended in SA and ACT (as of 2019) WA, VIC, QLD councils must have ARICs and IA (as at 2019)

6. Why do we want this in councils? Why do we want this in councils? Ensure councils achieve their strategic objectives, operational plans, delivery programs etc in the more efficient, effective and economical way Ensure better use of public money Reduce opportunities for fraud and corruption Create a culture of continuous improvement in councils Ensure better service delivery to communities Deliver increased transparency and accountability

7. Story so far Story so far Voluntary Internal Audit Guidelines released by OLG 2008 2008 2011 2011 ICAC Burwood Council inquiry found absence of IA allowed corruption to occur 2012 2012 Auditor-General recommends mandatory IA for councils Independent reviews of LG Act recommend mandatory ARICs and RM (in addition to IA) 2013 2013 Amendments made to LG Act requiring each council to: proactively manage risk under new guiding principles of the LG Act have an ARIC 6 months after elections after amendments proclaimed 2016 2016 2017 2017 ICAC Botany Bay Council inquiry had IA function but not effective, base LG model on NSW public sector model Release of OLG discussion paper proposing new regulatory framework 2019 2019 Amendments proclaimed and framework released 2021 2021

8. Proclamation timeframes Proclamation timeframes LG Act amendments requiring councils to have an ARIC were made in 2016 and proclaimed on 18 August 2021 Proclamation was delayed to allow for regulations and guidelines to be developed in consultation with councils LG Act requires councils to implement framework 6 months after the next ordinary council elections after proclamation: next elections to be held on 4 December 2021 Framework commences 4 June 2022

9. 2019 2019 Discussion paper Discussion paper proposals proposals

10. Framework goals Framework goals 1. 1. Each council has an independent ARIC that adds value to the council 2. 2. Each council has a RM framework that accurately identifies and mitigates council s risks 4. 4. OLG establishes a strong minimum standard for these mechanisms based on internationally accepted standards and good practice 3. 3. Each council has an IA function that provides independent assurance of council s functioning, performance and controls 5. 5. All councils can comply

11. Statutory framework Statutory framework Legislation Legislation LG Act s 8 LG guiding principles - sound financial management and RM s 428A s 428A - each council must have an ARIC s 428B s 428B - councils can share ARICs LG Act Layer Layer 1 1 s 8 LG guiding principles New Regulations New Regulations Layer Layer 2 2 Minimum regulatory requirements for ARICs, IA function and RM framework New Mandatory Guidelines New Mandatory Guidelines Replace the 2008 Internal Audit Guidelines by OLG Provide comprehensive guidance Layer Layer 3 3

12. ARICs role ARIC s role Legislative compliance Risk management Performance measurement ARIC ARIC to to review: review: Service delivery Internal & external audit Fraud & corruption controls (s 428A LG Act) Financial management & performance

13. Shared arrangements Shared arrangements Two options: independent shared arrangements shared arrangement through JO or ROC Councils can share all or part of their ARIC, IA function, secretariat etc on the proviso that no council can be disadvantaged from being in a shared arrangement County councils encouraged to share with member council JOs encouraged to establish shared arrangement or share with a member council

14. Layers 2 and 3 Layers 2 and 3 2019 Discussion paper 2019 Discussion paper Discussion paper released Sept 2019 - proposed layers 2 and 3 regulations and guidelines 4-month consultation period - 19 September to 31 December 2019 Significant engagement - 150 submissions received: 72 regional councils 26 private individuals 21 metro councils 11 joint/regional organisations 9 ARICs 8 independent bodies 3 county councils

15. Contributors to Contributors to discussion paper discussion paper Proposed framework developed in consultation with: Department of Department of Finance, Finance, Services and Services and Innovation Innovation (DFSI) (DFSI) NSW Audit NSW Audit Office Office NSW NSW Treasury Treasury LG Internal LG Internal Audit Audit Network Network The Institute of The Institute of Internal Internal Auditors (IIA) Auditors (IIA) Australia Australia

16. 2019 Discussion paper 2019 Discussion paper Overview ARICs ARICs completely independent of council (no councillor members) 3-5 members all prequalified under NSW Govt prequalification scheme, must meet skills and independence requirements set member fees model terms of reference set by OLG annual and 4-year performance review RM RM complies with Australian standards RM Coordinator oversees RM activities ARIC and IA review effectiveness

17. 2019 Discussion paper 2019 Discussion paper Overview IA IA independent of council (reports to ARIC) model IA charter set by OLG 1 and 4 year workplans can be outsourced Chief Audit Executive oversees IA activities meets international standards annual and 4-year performance review Accountability Accountability attestation/compliance certificate published in annual report indicates compliance with ARIC, RM and IA regulations

18. Feedback received Feedback received

19. Key feedback Key feedback Overall model Most overall feedback was about cost and best practice approach used: Most overall feedback was about cost and best practice approach used: Need different models for different councils Need to minimise implementation costs Rural councils may find it harder to comply compared to metro councils: less able to attract ARIC members, IA and RM staff less resources to pay ARIC fees and staff costs simpler operating environments mean lower risk profiles and different ARIC, RM and IA needs For example: ARIC member fees staffing costs reporting requirements maximise use of local ARIC members to reduce travel costs use of external reviewers

20. Key feedback Key feedback ARICs Most feedback raised about a specific element was about the composition of ARICs: Most feedback raised about a specific element was about the composition of ARICs: Mixed views on whether councillors should be ARIC members Relax independence criteria and prequalification Most controversial proposal: Best practice criteria prevents appointment of members with LG and local community knowledge e.g. former staff/councillors, community members with council links Prequalification unnecessary will lose existing members, harder to attract prequalified members for councillor ARIC members: for councillor ARIC members: cite local/council knowledge and links to governing body against councillor ARIC members: against councillor ARIC members: cite need for ARIC to be completely independent to trust it s advice, no politicisation

21. Key feedback Key feedback Internal audit Risk management ARICs Mostly supportive Mostly supportive main concerns about independence and cost: about independence and cost: main concerns Strong support Strong support main concerns about main concerns about cost and links to IA: cost and links to IA: Mixed views on independence Minority raised: No need for in-house Chief Audit Executive outsource role to external provider/auditor Combining RM and IA roles in councils may lead to bias in audits Should report to GM not ARIC management tool for GMs use, no need for independence

22. Changes proposed Changes proposed

23. Changes being considered Changes being considered New New mandatory tiered approach with different prequalification requirements 3 tiers based on population, risk profile, revenue, proximity to urban centre: 1. Rural councils, JOs, county councils 2. Regional councils 3. Metro councils + N/castle, W/gong, C/Coast, Lake Macq ARICs: All tiers must have a prequalified chair Other ARIC members: 1. Rurals/JOs/county councils chair + 2 independent/un- prequalified members, can seek exemption from prequalified chair 2. Regionals: chair + 1 prequalified member and 1 independent/un-prequalified member 3. Metros: chair + 2 prequalified members

24. Changes being considered Changes being considered New New independence requirements that allow for members with LG knowledge whilst still maintaining independence New New term limits to make it easier to appoint ARIC members longer maximum terms coincide with council terms ARICs: New New stronger links between ARIC and governing body annual and four-yearly meetings between ARIC and governing body to discuss key risks, trends, concerns optional councillor non-voting ARIC member quarterly reports to councillors to summarise ARIC findings and recommendations New New flexibility in ARIC s role: reviews all matters in s428A over the council term more flexibility to shape ARIC s role to council s needs

25. Changes being considered Changes being considered New New flexibility for councils regarding confidentiality of ARIC agendas and minutes governing body decides each council term New New unrestricted access by ARIC to GM and senior staff only access to other staff requires GM approval ARICs: New New stronger appointment and induction processes for ARIC members New New implementation timeline: all councils have an ARIC by June 2022 compliance with membership requirements by 2027

26. Changes being considered Changes being considered New New flexibility in implementation and workforce resourcing RM Coordinator is now a function not a position that needs to be recruited to GM can delegate RM to any staff member removed need for RM responsibilities to be included in senior staff contracts Risk management: New New ability for county councils and JOs to share RM New New accountability to the ARIC and governing body ARIC reviews RM framework each council term RM framework discussed with ARIC and governing body annually and each council term New New implementation timeline compliance by 2024

27. Changes being considered Changes being considered New New optional tiered approach for IA function to reduce costs and provide greater flexibility Large councils (recommended): in-house IA function overseen by Head of IA (council employee) who supports ARIC and leads audits Head of IA meets requirements of professional internal auditor (if necessary) optional IA in-house staff or external providers undertake audits Internal Audit Small-medium councils (recommended): external provider/auditor undertakes audits new IA coordinator function performs administrative functions (e.g. mailbox between provider and ARIC, secretariat)

28. Changes being considered Changes being considered Rural/remote councils: encouraged to enter shared arrangement with other councils or their JO JOs: encouraged to establish shared arrangement for member councils and JO to use, or utilise a member council s ARIC and IA function Internal Audit County councils: encouraged to utilise a member council s ARIC and IA function New New simplified shared arrangements oversight by councillor and administrative committee removed

29. Changes being considered Changes being considered New New flexibility in implementation and workforce resourcing: specific title and eligibility criteria for Head of IA function removed IA function can report to senior staff member other than GM can combine Head of IA function with another role provided safeguards are met Internal Audit New New implementation timeline compliance by 2024

30. Changes being considered Changes being considered New New: Attestation certificate signed by GM only GM to consult ARIC before publication New: New: Attestation does not commence until 2027 to coincide with new implementation timeframes Accountability New: New: Attestation template developed by OLG clarifies what councils are attesting to New: New: OLG response to exemption requests to be published in council s annual report to provide assurance to community

31. Next steps Next steps Act amendments commenced - 18 August August 2021 3 month consultation on new guidelines and model documents 24 August 26 November Aug-Nov 2021 Framework commences 4 June all councils must have an ARIC New regulations and guidelines prescribed before June June 2022 Full compliance: Full compliance: 2024 RM and IA function 2027 ARIC composition 2024- 27